A Security Resource Is Not 31 Flavors
Articles January 28, 2013 Comments Off on A Security Resource Is Not 31 Flavors 18This series will explore five tips and one bonus tip for acquiring security talent in a landscape that currently has unquenchable demand and not even close to enough supply. So should you just shut down your security effort until the tide turns and you can find what you need? Your Board will buy into that won’t they? Yeah right! So what do you do? Glad you asked. This article will explore practical tips for getting fat on security talent during this brutal situation; a famine that is bound to continue for at least the next two years.
Tip 3: A security resource is NOT 31 Flavors
Nothing beats, in terms of sadness at least, a security job description that asks for a penetration tester, policy writer, application security architect, security lead, reports to the systems architecture group, Incident Response Manager, Head of Compliance, BCP and DR experience and on and on and on, of course with the final token “Must have great communication skills,” all in the same description. Sorry, give me a second; I just threw up in my mouth a little bit again writing that. Ok…I am back.
So another critical pitfall for an organization to avoid during this famine is when they buy into the fact that they need a competent resource, perhaps even are offering a good salary, but then they want the Swiss-army knife of security. This person can deflect denial of service attacks with her teeth or find security flaws in code while she sleeps. She even burps out a good business impact analysis after a nice steak dinner. (So this sentence above is where my editors will quietly try to edit out this line and say something a little softer….a little more politically correct. So if when you read this it does not say anything about burping I will be a bit disappointed). Literally, these people are required to be super human. And they simply don’t exist, famine or no famine……..
Organizations that take this approach, which clearly broadcast their incompetence on job search boards around the globe, often follow the same demise as those that suffer from “The Talent Toilet Bowl Effect.” They get the complete opposite of what they crave, which is the right talent to get their security effort to the next level.
So the tip here is to first develop a security program charter, then structure your security organization with associated roles and responsibilities to accomplish that charter. This will yield the required roles that you need to be successful. Note the “s” in the word roles above. If you can’t get approval from management for what you really need to achieve success, then scale back what your security program can accomplish and clearly present this to your senior leadership or Board. This puts accountability on them, which is where it should be as the over-arching shepherds of your organization. It is your job to present the situation and provide guidance as an expert in security to your leadership so they can make informed business decisions. If they then make a stupid decision, which is common by the way, that will end up on them.
Finally, if you do all I suggest above then this means you are talented. If you don’t get what you need for your effort to be successful, then as a talented person you are a phone call away from a better opportunity from an organization that does have a clue. Being in a hot industry does have its perks, regardless of what my wife says.
As always, please provide your feedback to Mike.Gentile@cisoshare.com or @MikeGentile03 on Twitter; I always read them.